Skip to content
This repository has been archived by the owner on Sep 22, 2022. It is now read-only.

ReOpenLDAP-1.1.3
Compare
Choose a tag to compare
@erthink erthink released this 30 Aug 18:08
· 838 commits to master since this release
v1.1.3
837acaf

Briefly:

  1. Imported all relevant patches from RedHat, ALT Linux and Debian/Ubuntu.
  2. More fixes especially for TLS and Mozilla NSS.
  3. Checked with PVS-Studio static analyser (first 10 defects were shown and fixed).
    Checking with Coverity static analyser also was started, but unfortunately it is
    a lot of false-positives (pending fixing).

New features and Compatibility breaking:

  • (+) configure --with-gssapi=auto/yes/no.
  • (*) slapi: use /var/log/slapi-errors instead of /var/errors.
  • (!) slapd: move the ldapi socket to /var/run/slapd from /var/run.
  • (!) reopenldap LICENSE note.
  • (+) configure --enable-debug=extra.
  • (+) libreldap: NTLM bind support.
  • (+) contrib: added check_password module.
  • (+) contrib: allow build smbk5pwd without heimdal-kerberos.
  • (!) libreldap: Disables opening of ldaprc file in current directory (RHEL#38402).
  • (+) libreldap: Support TLSv1.3 and later.

Documentation:

  • (+) man: added page for contrib/smbk5pwd.
  • (*) man: note for ldap.conf that on Debian is linked against GnuTLS.
  • (+) doc: added preamble to devel/README.
  • (-) man: remove refer to <ldap_log.h>
  • (*) man: note olcAuthzRegex needs restart (ITS6035).
  • (*) doc: fixed readme's module-names for contrib (.so -> .la)
  • (*) mdbx: comment MDB_page, rename mp_ksize.
  • (*) mdbx: VALID_FLAGS, mm_last_pg, mt_loose_count.
  • (+) man: fixed SASL_NOCANON option missing in ldap.conf manual page.

Major and Security bugs:

  • (*) slapd: fixed #104, check for writers while close the connection.
  • (*) slapd: fixed #103, stop glue-search on errors.
  • (*) libreldap: MozNSS fixed CVE-2015-3276 (RHEL#1238322).
  • (*) libreldap: TLS do not reuse tls_session if hostname check fails (RHEL#852476).
  • (*) slapd: Switch to lt_dlopenadvise() to get RTLD_GLOBAL set (RHEL#960048, Dedian#327585).
  • (*) libreldap: reentrant gethostby() (RHEL#179730).
  • (*) libreldap: MozNSS ignore certdb database type prefix when checking existence of the directory (RHEL#857373).

Minor bugs:

  • (*) slapd: fixed compare pointer with '\0' in syn_add().
  • (*) slapd: fixed indereferenced pointer in fe_acl_group().
  • (*) libreldap: fixed overwriting a parameter in tlso_session_errmsg().
  • (*) slapd: fixed recurring check in register_matching_rule().
  • (+) syncprov/syncrepl: more for #105, two workarounds.
  • (*) mdbx: fixed mdb_dump tool and other issues detected by PVS-Studio.
  • (*) mdbx: fixed assertions when debug enabled for various open/sync modes.
  • (*) slapd: fixed use-after-free in debug/syslog message on module unloaded.
  • (*) monitor-backend: fixed cache-release on errors.
  • (-) slapd: don't create pid-file for config-check mode.
  • (+) libreldap: "tls_reqcert never" by default for ldap.conf
  • (-) libreldap: Disables opening of ldaprc file in current directory (RHEL#38402).
  • (*) libreldap: MozNSS update list of supported cipher suites.
  • (*) libreldap: MozNSS better file name matching for hashed CA certificate directory (RHEL#852786).
  • (*) libreldap: MozNSS free PK11 slot (RHEL#929357).
  • (*) libreldap: MozNSS load certificates from certdb, fallback to PEM (RHEL#857455).
  • (*) slapd: fixed loglevel2bvarray() for config-backend.
  • (*) libreldap: LDAPI SASL fix (RHEL#960222).
  • (*) libreldap: use AI_ADDRCONFIG if defined in the environment (RHEL#835013).
  • (*) libreldap: fixed false-positive ASAN-trap when Valgrind also enabled.

Performance:

  • (-) libreldap: remove resolv-mutex around getnameinfo() and getnameinfo() (Debian#340601).
  • (*) slapd: fixed major typo in rurw_r_unlock() which could cause performance degradation.

Build:

  • (+) configure: added --with-gssapi=auto/yes/no.
  • (*) mdbx: fixed CC and XCFLAGS in 'ci' make-target rules.
  • (*) mdbx: fixed 'clean' make-target typo.
  • (*) mdbx: fixed Makefile deps from mdbx.c
  • (*) tests: fixed lt-exe-name for coredump collection.
  • (+) backend-mdb: enable debug for libmdbx if --enable-debug.
  • (*) mdbx: make ci-target without NDEBUG and with MDB_DEBUG=2.
  • (+) mdbx: allow CC=xyz for ci-target rules.
  • (*) configure: fixed cases when corresponding to --with-tls=xyz package not available.
  • (+) configure: take in account --enable-lmpasswd for TLS choice.
  • (*) configure: workaround for --enable-lmpasswd with GnuTLS (ITS#6232).
  • (*) liblutils: fixed build with --enable-lmpasswd.
  • (*) libreldap: fixed warnings when Mozilla NSS used.
  • (*) configure: rework TLS detection (Mozilla NSS, GnuTLS, OpenSSL).
  • (*) libreldap: fixed build --with-tls=gnutls.
  • (-) contrib: don't build passwd/totp, passwd/pbkdf2 and smbk5pwd with --with-tls=moznss.
  • (+) automake: install lber_types.h and ldap_features.h
  • (*) automake: fixed $(DESTDIR) for install/uninstall hooks.
  • (*) automake: fixed ldapadd tool uninstall.
  • (*) configure: Check whether ucred is defined without _GNU_SOURCE.
  • (*) slapd: don't link with BerkeleyDB, but bdb/hdb backends only.
  • (*) configure: checking for krb5-gssapi for contrib-gssacl.
  • (*) configure: Use pkg-config for Mozilla NSS library detection.
  • (*) libreldap: fixed build in case --with-tls=moznss.

Cosmetics:

  • (+) slapindex: print a warning if it's run as root.
  • (*) fixed printf format in mdb-backend and liblunicode.
  • (*) fixed minor typo in print_vlv() for ldif-output.
  • (*) mdbx: minor fix mdb_page_list() message
  • (*) fixed 'experimantal' typo ;)
  • (*) slap-tools: fixed set debug-level.

Other:

  • (+) reopenldap AUTHORS and CONTRIBUTION.
  • (*) reopenldap: fix copyright timestamps.
  • (*) libreldap: fixed deprecated ldap_search_s() in case --with-gssapi=yes.
  • (-) libreldap, slapd: don't second-guess SASL ABI (Debian#546885).
  • (+) slapd: added LDAP_SYSCONFDIR/sasl2 to the SASL configuration search path.
  • (-) backend-bdb: don't second-guess BDB ABI (Debian#651333).
  • (+) libreldap: added /etc/ssl/certs/ca-certificates.crt for ldap.conf
  • (+) reopenldap: added Coverity scan build status.
  • (*) mdbx: fix usage of attribute((format(gnu_printf, ...)) for clang.
  • (+) backend-mdb: turn MDBX's debugging depending on --enable-debug=xyz.
  • (*) reopenldap: use LDAP_DEBUG instead of !NDEBUG.
  • (-) reopenldap: remove obsolete OLD_DEBUG.
  • (*) tests: more for #92 (mtread).
  • (*) tests: added biglock to test048-syncrepl-multiproxy.
  • (*) slapd: refine biglock for passwd_extop().
  • (*) tests: fixed #105, adds biglock to test054-syncrepl-parallel-load.
  • (*) libreldap: more worarounds for #104.
  • (*) slapd: show 'glue' like a static overlay.
  • (*) mdbx: fixed copyright timestamps.
  • (*) mdbx: check assertions depending on NDEBUG.
  • (*) contrib/check_password: fixed default values usage.
  • (*) tests: support RANDOM_ORDER for load balancing.
  • (*) libreldap: TLS fixed unused warnings.
  • (*) slapd: backtrace for CLM-166490.
  • (*) tests: use Valgrind from configure.
Assets 2
Loading